In mcrypt, check salt lengths and exit with an error, rather than

overrunning a buffer, if too long. CVE-2012-4409. Patch from http://seclists.org/oss-sec/2012/q3/396, ok benoit@
2012-09-06 21:56:31 +00:00 · 2012-09-06 21:56:31 +00:00 · 53b1da7ff8
commit 53b1da7ff8
parent f882f71afb
3 changed files with 53 additions and 3 deletions
--- a/security/mcrypt/Makefile
+++ b/security/mcrypt/Makefile
@ -1,10 +1,10 @@
-# $OpenBSD: Makefile,v 1.24 2011/04/16 21:13:44 sthen Exp $
+# $OpenBSD: Makefile,v 1.25 2012/09/06 21:56:31 sthen Exp $

 COMMENT =	extendable encryption program that supports many ciphers

 DISTNAME =		mcrypt-2.6.8
-REVISION =		1
-CATEGORIES =     	security
+REVISION =		2
+CATEGORIES =		security

 HOMEPAGE =		http://mcrypt.sf.net/

--- a/security/mcrypt/patches/patch-src_errors_c
+++ b/security/mcrypt/patches/patch-src_errors_c
@ -0,0 +1,35 @@
+$OpenBSD: patch-src_errors_c,v 1.1 2012/09/06 21:56:31 sthen Exp $
+
+Format strings, http://seclists.org/oss-sec/2012/q3/396
+
+--- src/errors.c.orig	Thu Sep  6 22:24:15 2012
+++ src/errors.c	Thu Sep  6 22:24:34 2012
+@@ -24,24 +24,24 @@ extern int quiet;
+ 
+ void err_quit(char *errmsg)
+ {
+-	fprintf(stderr, errmsg);
+	fprintf(stderr, "%s", errmsg);
+ 	exit(-1);
+ }
+ 
+ void err_warn(char *errmsg)
+ {
+ 	if (quiet <= 1)
+-		fprintf(stderr, errmsg);
+		fprintf(stderr, "%s", errmsg);
+ }
+ 
+ void err_info(char *errmsg)
+ {
+ 	if (quiet == 0)
+-		fprintf(stderr, errmsg);
+		fprintf(stderr, "%s", errmsg);
+ }
+ 
+ void err_crit(char *errmsg)
+ {
+ 	if (quiet <= 2)
+-		fprintf(stderr, errmsg);
+		fprintf(stderr, "%s", errmsg);
+ }
--- a/security/mcrypt/patches/patch-src_extra_c
+++ b/security/mcrypt/patches/patch-src_extra_c
@ -0,0 +1,15 @@
+$OpenBSD: patch-src_extra_c,v 1.1 2012/09/06 21:56:31 sthen Exp $
+
+CVE-2012-4409, patch from http://seclists.org/oss-sec/2012/q3/396
+
+--- src/extra.c.orig	Thu Sep  6 22:23:29 2012
+++ src/extra.c	Thu Sep  6 22:24:09 2012
+@@ -242,6 +242,8 @@ int check_file_head(FILE * fstream, char *algorithm, c
+ 			if (m_getbit(0, sflag) != 0) { /* if the first bit is set */
+ 				*salt_size = m_setbit(0, sflag, 0);
+ 				if (*salt_size > 0) {
+					if (*salt_size > sizeof(tmp_buf))
+					    err_quit(_("Salt is too long\n"));
+ 					fread(tmp_buf, 1, *salt_size,
+ 					      fstream);
+ 					memmove(salt, tmp_buf, *salt_size);